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(54) Digital signature generating/verifying method and system using public key encryption 



(57) A digital signature generating/verifying method 
using a public key encryption scheme which ensures 
high security, reduction in length of the digital signature 
and independency ot the length of the digital signature 
on that the order of a base point. In generating a digital 
signature, a first hash value (e) satisfying a condition 
that e = H(M) is determined for a given message (M) by 
using a hash function (H), a numerical value (x) is 
obtained from translation of a random number, a hash 
value (r) satisfying a condition that r = h(x) is determined 
by using a hash function (h) whose output value is 
shorter than that of the first hash function (H), and the 
digital signature is generated by using the hash values 
(e) and (r) as determined. For verification of an inputted 
digital signature, the hash value (e) satisfying the condi- 
tion that e = H(M) is determined, and for a numerical 
value (x) obtained from arithmetic operation of a public 
key (Q), a base point (P) and the inputted digital signa- 
ture (r, s), a hash value (r*) satisfying a condition that r' 
= h(x) on the basis of the hash value (e), the digital sig- 
nature (r, s), the base point (P) and the public key (Q) by 
using a hash function (h) whose output value is shorter 
than that of the first hash function (H). The hash value 
(r ) is then compared with a tally (r) of the inputted digital 
signature to thereby verify the inputted digital signature. 
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Description 

BACKGROUND OF THE INVENTION 



The present invention relates to a method and a system for generating end/or verifying a digital signature by using 
a public key encryption method for securing the security in a computer network. 

The digital signature technology for imparting electric documents or the like for electronic comments or transactions 
with a function equivalent to that of a conventional seal (hanto in Japanese) promises high efficiency utilization of com- 
puter-network system. However, with the conventional electronic mail encryption technology (also known as Privacy 
Enhanced Mail or PEM in abbreviation), it is impossible to process more than one digital signature for a single 
enhanced mail. In this conjunction, in the electronic commerce fields, it is expected in the not-so-distant future that the 
electronic document such as message and the Iks affixed with a number of cfigita) signatures including not only the dig- 
ital signature of a purchaser but also those of a distributor, salesman and/or monetary business-man will be handled. 
Under the circumstances, there arises a demand for the multiple digital signature technology which allows the electronic 
documents affixed with a plurality of digital signatures to be processed. In this conjunction, it is noted that a person 
received an electronic document affixed with a plurality of digital signatures will be forced to verify the authenticity of 
plural or N digital signatures written by other persons before writing or generating his or her own single digital signature. 
Thus, in order to enhance the availability of the digital signature facility in the computer network system, it will be 
required to increase the speed for verification of the plural (N) digital signatures. Besides, it is conceivable that in the 
electronic commerces, there is a possibility that comments may be added by a plurality of persons in the course of 
processing the electronic document 

For having better understanding of the invention, description will first be made in some detail of the technical back- 
ground of the invention. As a typical one of the digital signature techniques known heretofore, there may be mentioned 
the public-key cryptography elliptic curve system disclosed in J. Kbefler, A. J. Menezes, M. Qu and S. A. Vanstone: 
"Standard for RSA, Diffte-Hellman and Related Public-Key Cryptography Elliptic Curve Systems (Draft 8)" in "IEEE 
P1363 Standard" published by the IEEE, May 3 t 1996 and May 14, 1996. respectively. 

Figure 9 is a schematic diagram showing generally a configuration of a computer network system in which the tech- 
niques disclosed in the above-mentioned literatures are adopted. 

Referring to Fig. 9, there are connected to a network 1001 a system manager's computer 1002, a user A's compu- 
ter 1003 and a user B's computer 1004 for mutual communication. 

Operations of the individual units shown in Fig. 9 will be described below. 

System Setup 

The system manager's computer 1002 is in charge of generating an elliptic curve (E) 1006. Subsequently, a base 
point (also referred to as the system key) (P) 1007 of the order (n) 1008 is generated and registered in a public file 1 005. 

Key Generation 

A key generating function module 1011 incorporated in the user A's computer 1003 is designed to execute the 
processing steps which will be mentioned below. 

Step 1 : in an interval [2, n - 2], an integer d A is selected at random as a private key. 
Step 2: A key Q A is computed in accordance with Q A ■ d A R 

Step 3: The key (Q A ) 1015 is opened to the public as the public key. More specifically, the public key (Q A ) 1015 is 
transmitted together with the identifier name of the user A to the system manager's computer 1002 via the 
network 1001, whereon the identifier name of the user A is written in the public file 1 005 at a column 1 009 
for the user As name with the value of the public key (Q A ) 101 5 being written in a column 1010 for the public 
key CV 

Step 4: in the user A's computer 1003, the value of the private key (d A ) 1014 is held as the private key of the user A. 
Digital Signature Generation Process 

A digital signature generating function module 1033 incorporated in the user A's computer 1003 i6 designed to exe- 
cute the processing steps mentioned below. 

Step 1 : Message (M) 1016 is received. 

Step 2: Hash value e = H(M) is computed by using a hash function (H) 1028. 
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Step 3: Random number }s is selected from the interval (2, n • 2] by using a random number generation function 

Step 4: Point kP o (x, y) is computed ty a so-caBed "scalar multiplication on elliptic curve '(E)- -1030: ^ 

Step 5: A first taffy i given by r « x+ e (mod n) is determined in accordance with the modular computation "r *x + 
5 e(modn)" 1031. — -' 

Step 6: A private key {drf 1017 is inputted to modular conputation_proce6S "s « k - d A r(mod n)" 1032 for thereby 
determining a second tally fi(«k-d A r (mod n)). - 

Step 7: A message M 1016 and the digital signature (r, s) 1019 are sent to the user computer 1004 via the net- 
work 1001. 
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As the parameters required for the computations performed by the digital signature generating function module 
1033, the elliptic curve (E) 1006, the base point which may also be referred to system kBy (P) 1007 and the order (n) 
1008 registered in the public file 1005 held by the system managers computer 1002 are referenced. 

75 Digital Signatu re Verification Process 

A digital signature verifying function module 1023 incorporated in the user B's computer 1004 is designed to exe- 
cute the processing steps mentioned below. 

20 Step 1 : The user A's public key (Qp) 1 01 0 is fetched from the public f He 1 005 heW by the system manager's com- 
puter 1002 to be set as a public key (Qa) 1020. Additionally, the base point (system key) (P) 1007 is fetched 
from the pubfic file 1005 held by the system manager's computer 1002 to be set as the base point (P) 
1007B. Furthermore, the digital signature (r, s) 1019 sent from the user A s computer 1003 is received to be 
set as a digital signature (r, s) 1021. Besides, the message (M) 1016 sent from the user A s computer 1003 
25 is received to be set as a message (M) 1022. 

Step 2: The base point or system key (P) 1007B. the public key (Qa) 1020. the digital signature (r. s) 1021 are input- 
ted to the process "scalar multiplication on eJiptc curve (E) N and "addition" 1024 to thereby carry out the 
calculation "(x, y) «sP + rQ A ". 
Step 3: The message M 1022 is inputted into the hash function H 1025 to thereby compute the hash value e * H(M). 
30 Step 4: Through the computation process Yex + e (mod n)" 1026, a first tally Y ■ x + e (mod n)" is determined. 
Step 5: When the decision "r = r' T 1 027 results in r « r' or YES, data "authenticated" is outputted. and if otherwise, 
"not authenticated" is outputted. 



As the parameters required for the computations performed by the digital signature verifying function module 1 023, 
35 the elliptic curve (E) 1 006, the base point or system key (P) 1 007 and the order (n) 1008 as registered in the public file 
1 005 held by the system manager's computer 1002 are referenced. 

Through the processes described above, the digital signature (r, s) functions as an electronic seal (i.e., seal or 
"hanko" impressed electronically by the user A for the message M. To say in another way, the user B can hold the set 
of the message M and the digital signature (r, s) as the evidence indicating that the message M is issued by the user A. 
40 Further, although the user B can recognize the authenticity of the set of the message M and the digital signature (r, s), 
the user B can not originally generate the set of the message M and the digital signature (r, s). For this reason, the user 
A can not negate later on the fact that the digital signature (r, s) has been generated by the user A. 

However, the conventional system described above suffers the problems which will be elucidated below. 



45 (1 ) Insufficient Proof for Security 

in general, generation of a digital signature by a person having no private key provides a problem. If otherwise, 
the authenticity of the digital signature can not be ensured, degrading the creditabilrty of the electronic commerce 
and rendering it impractical. 

In the conventional system described above, it is required to provide that such tally combination (r, s) can not 

so be generated which allows the output "authenticated' to be generated in the course of the digital signature verifica- 
tion processing without knowing the private key d A However, the conventional system provides no proof to this end. 
Parenthetically, it should be mentioned that the problem mentioned above has been pointed out in conjunction with 
EIGamal signature technology on which the conventional system described above is based. 
(2) Long bit length of the digital signature 

55 Now, assuming that relevant parameters have respective bit lengths as follows: 



(a) The bit length representing the order q of the base point P is t n bits (e.g. 160 bits). 

(b) The bit length representing the output of the hash function H is / H bits (e.g. 160 bits). 
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(C) The bit length of the private teyd A 15^, bits (ag. 160 bits).- , » -^ ........ 

The output value of the hash function H given by of 160 bits is considered as being necessary in view of the 
fact that the hash function H has a collision-free property. In this conjunction, it is contemplated with the phrase "col- 
5 lision-free property" to mean that cfifficiity is encountered in finding two different input values which result in a same 
output value in view of the computational overhead By way of example, in the case where the output value of a 
hash function H is 160 bits, it will be possible to find two different input values which results in aaame output value 
by carrying out an attack method known as "Paradox of Birthday" a number of times on the order of 2 80 on an aver- 
age, which is however difficult in view of the computational overhead. 
io Further, the bit length of 1 60 bits for the order n of the base point (system key) is considered as being neces- 

sary because of difficulty of solving the cfiscrete logarithm problem relevant to the addition on the elliptic curve. 

In this case, when the length of the tally i of the digital signature (r, s) is of bits with the length of the tally § 
being of /„ bits, then the total bit number amounts to (/ n + 40 bits (ag. 320 bits). 

(3) The length of the digital signature is determined in dependence on the length of the parameter n of the elliptic 
75 curve. Consequently, when the length of the parameter a is increased for ensuring the security of the digital signa- 
ture more positively in the future, the length of the digital signature increases correspondingly. Parenthetically, in 
conjunction with RSA and EES, it is noted that the length of the parameter o is unavoidably increased because of 
enhancement of the decryption method and the computer performance promoted as a function of the time lapse. 
Same will apply equally to the elliptical encryption in the future. To say in another way, it is expected that the length 
20 of the parameter n will necessarily increase as the decryption technology and the computer performance are 
enhanced as a function of time lapsa Such being the circumstances, it is desirable in conjunction with the elliptic 
encryption to realize the digital signature which does not depend on the length of the order n of the base point or 
system key P. 

25 SUMMARY OF THE INVENTION 

In the light of the state of the art described abova it is an object of the present invention to provide a digital signa- 
ture generating and/or verifying method and system using a public key encryption scheme with high security as well as 
a recording medium for storing a program for carrying out the method. 

Another object of the present invention is to provide a digital signature generating and/or verifying method and sys- 
30 tern using a public key encryption scheme, which allows the bit length of the digital signature to be shortened, and a 
recording medium for storing a program realizing the same. 

Yet another object of the present invention is to provide a digital signature generating/verifying method and system 
which are based on the use of a public key encryption method in which the length of the digital signature is made to be 
independent of the length of the order of the base point, and a recording medium employed for storing a program real- 
35 izing the same. 

In view of the above and other objects which will become apparent as the description proceeds, there is provided 
according to a first generic aspect of the present invention a digital signature generating/verifying method of generating 
and/or verifying a digital signature authenticating electronically a signature affixed to a given document or message (M) 
by resorting to a public key encryption scheme. The digital signature generating/verifying method includes processing 
40 steps of determining for the given document or message (M) a hash value (e) satisfying a condition that e « H(M) by 
using a hash function (H). and determining for a numerical value (x) derived from translation of a random number a hash 
value (r) satisfying a condition that r « h(x) by using a hash function (h) whose output value is shorter than that of the 
first-mentioned hash function (H). 

Further, according to another general aspect of the present invention, there is provided a digital signature generat- 
es ing and/or verifying method of generating or verifying a multiple digital signature authenticating electronically signatures 
affixed to document such as messages and/or comments (MJ as created and/or added sequentially by N users i (where 

i = 1 N) by using a public key encryption scheme. The digital signature generating/verifying method includes the 

steps of (a) determining for a given one of the messages (Mj) a hash value (ed satisfying a condition that ej = H(Mj) by 
using a hash function (H), (b) determining for a numerical value (Xj) obtained from translation of a random number a 
50 hash value (rj satisfying a condition that r { « h(Xj) by using a hash function (h) whose output value is shorter than that 
of the first-mentioned hash function (H) and (c) executing the above-mentioned steps (a) and (b) for each of the users 
i (where i = 1 N). 

According to another general aspect of the present invention, there is provided a digital signature generating/veri- 
fying system for generating a digital signature authenticating electronically a signature affixed to a given message (M) 
55 by resorting to a public key encryption scheme. The digital signature generating/verifying system is composed of a 
processing unit for determining for the message (M) a hash value (e) satisfying a condition that e ■ H(M) by using a 
hash function (H), a processing unit or module for determining for a numerical value (x) obtained from translation of a 
random number a hash value (r) satisfying a condition that r = h(x) by using a hash function (h) whose output value is 
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6horter than that of the hash function (H). 

Furthermore, according to another general aspect of the present invention, there is provided a digital signature 
generating and/or verifying system forr generating and/or verifying a multiple digital signature authenticating electroni- 
cally signatures affixed to document such as messages andte r co mments {M») as created and/or added sequentially by 

5 N users i (where i « N) by resorting to the use of a public key encryption scheme, wherein the digital signature 
generating/verifying system includes a module tor determiningfor a given one of the messages (Mi) a hash value (ej 
satisfying a condition that 6)- H(Mj) by using a hash function (H}\> a module for determining for a numerical value (aq) 
derived from translation of a random number a hash value (rj satisfying a condition that r, « h(Xj) by Using a hash func- 
tion (h) whose output value is shorter than that of the first-mentioned hash function (H), and a module for validating the 

10 above-mentioned modules for each of the users i (where i ■ 1 , .... N) 

The above and other objects, features and attendant advantages of the present invention will more easily be under- 
stood by reading the following description of the preferred embodiments thereof taken, only by way of example, in con- 
junction with the accompanying drawings. 

75 BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, reference is made to the drawings, in which: 

Fig. 1 is a schematic block cfiagram showing generally a system configuration according to an exemplary embodi- 
20 ment of the present invention; 

Fig. 2 A is a block diagram showing a system configuration of a single digital signature generating/verifying unit exe- 
cuted by a user A's personal computer shewn in Fig. 1 ; 

Fig. 2B is a flow chart for illustrating a processing involved in the single digital signature generation algorithm exe- 
cuted by the user As personal computer in conjunction with the system shewn in Fig. 1 ; 
25 Fig. 3 is a flow chart for illustrating a processing tor a single digital signature verification processing or algorithm 
executed by a user B's personal computer in the system shewn in Fig. 1 ; 

Fig. 4 is a flow chart for illustrating a processing for a duple digital signature generation processing or algorithm 
executed by the user B's personal computer in the system shewn in Fig. 1 ; 

Fig. 5 is a flow chart for illustrating a processing for a duple digital signature verification processing or algorithm 
30 executed by a user C's personal computer in the system shown in Fig. 1 ; 

Fig. 6 is a block diagram showing a computer network configuration according to another embodiment of the inven- 
tion; 

Fig. 7 is a flow chart for illustrating a processing for a triple digital signature generation algorithm executed by the 
user C's personal computer shown in Ftg. 6; 
35 Fig. 8 is a flow chart for illustrating a processing for a triple digital signature verification algorithm executed by a user 
D's personal computer in the system shown in Fig. 6; and 

Fig. 9 is a schematic diagram showing generally a configuration of a conventional computer network system 
designed for transferring electronic documents affixed with digital signatures known heretofore. 

40 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Now, the present invention will be described in detail in conjunction with what is presently considered as preferred 
or typical embodiments thereof by reference to the drawings. In the following description, like reference characters des- 
ignate like or corresponding parts throughout the several views. Also in the following description, it is to be understood 
45 that such terms as "document", "comment", "message" and the like are words of convenience and are not to be con- 
strued as limiting terms. 

Figure 1 is a schematic block diagram showing generally a system configuration according to an exemplary embod- 
iment of the invention. Referring to the figure, there are connected to a network 101 . a user A's personal computer 102, 
a user B's personal computer 1 03 and a user C's personal computer 1 04. In the user A's personal computer 1 02, a user 

so A's signature (r 1 , s^ 1 1 1 is generated for a user A's created document (M^ 1 10 by using a base point which may also 
be referred to as the system key (P) 117 and a user A's private key (d^ 1 18 in accordance with a single digital signature 
generation algorithm (ALj) 105 to be subsequently sent to the user B's personal computer 103 via the network 101 . In 
this conjunction, V' and "Sj " of the user A's signature (r 1( s^ 1 1 1 are defined as a first tally and a second tally, respec- 
tively. In the user B's personal computer 103, authenticity of the user A's issued document 109 composed of a set of 

55 the user A's created document (M^ 110 and the user A's signature (r 1( s0 111 is verified by using a base point or sys- 
tem key (P) 1 19 and a user A's public key (O^ 120 in accordance with a single digital signature verification algorithm 
(AL^) 1 06 and at the same time, a user A's and B's multiple signature (r v r 2 , 62) 1 13 is generated for the user As cre- 
ated document (MO (i.e., document M 1 created by user A) 115, the user A's signature (r 1( s t ) 1 1 1 and a user B's adtfi- 
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tion such as comment (Mg) 114 by using the base point (P) 1 19 and the user B*s private key^oy 121 in accordance with 
a duple digital signature generation algorithm (AL*) 107 to be subsequently sent to the user Cs personal computer 104 
via the network 101. In the user C's personal computer 104, authenticity of the user B's issued document 112com- 
posedof the set of the user, A's aeated document (M t ) 115 and the user B's adcfition or comment (M2) 1 14 as well as 
the user A s and B's multiple (duple) signature (r, , r 2 , Sj) 1 1 3 is verified by using the base point (P) 122. a user A s public, 
key (Qi) 123 and a us^Jte public toy (Q2)/I24jnaea>rdro signature verification algorithm (AL 2 ') 

108. - - - - ■ \- 

Figure 2A is a block diagram showing a system configuration of the single cfigrtal signatwe generation/verification 
system shown in Fig. 1 and Fig. 2B is a flow chart tor illustrating the processing tor the single digital signature genera- 
tion algorithm (AL^ 105 mentioned previously in conjunction with the system shown in Fig. 1. Description will now be 
made by reference to Figs.2A and 2B 

The system configuration shown in Fig. 2A bears correspondence to the one shown in Fig. 9. It can be seen that 
the former differs from the latter in respect to the algorithm in the digital signature generating blo^ and 1032, the 
algorithm in the digital signature verifying block 1 026 and the output algorithm in the block 1 024. 

Single Digital S ignature Generation Algorithm ( AL^ 105 



Step 201 : Processing for executing this algorithm (AL1) 105 is started. 

Step 202: The user As created document (Mf) 1 1 0, the base point (P) 1 17 and the user A's private key (d1 ) 1 1 8 are 

20 inputted. ~ 

Step 203: A random number k 1 of 4, bits is generated. 

Step 204: Computation is performed for determining k-, P « (x 1 , yi). 

Step 205: Hash value n (« hfa)) of t^Jl bits is computed. 

Step 206: Hash value e 1 (= HfMj)) of *h bits is computed. 

25 Step 207: Computation is performed for determining a tally in accordance with « + d t (et + r,) (mod n). 

Step 208: Value of the single digital signature (r 1( a 1 ) 111 is outputted. 

Step 209: The processing is terminated. 

The single digital signature generated through the processing described above corresponds to an electronic image 
30 of a seal ("hanko" in Japanese) impressed on the message M 1 by the user A. In other words, the single digital signature 
(r 1 . Si ) can be generated only when the private key dj equivalent to the seal kept only by the user A is used for the mes- 
sage M 1 as furnished. 

Figure 3 is a flow chart for illustrating a processing for the single digital signature verification algorithm (AL,*) 106 
in conjunction with the system shown in Fig. 1. Descnption will now be made by reference to Fig. 3. 



Single piqifei Signature verification Algorithm fALi) 106 



Step 301 : Processing is started. 

Step 302: The user A's created document (M,) 1 10 and the single digital Signature (r 1( s-,) 111 is inputted. 

40 Step 303: The system key (P) 119 and the public key (Q t ) 120 are inputted. 

Step 304: Hash value e 1 « H(Mj) of l H bits is computed. 

Step 305: Computation is performed for determining a first point on an elliptic curve, i.e., a first elliptic point (x 1 , yi ) 

= s 1 P-(ei+r 1 )Q 1 . 

Step 306: A numeric value = h(x 1 ) is computed. 

45 Step 307: When the condition that ^ = ^ ' is met, the processing proceeds to a step 308 while if otherwise to a step 

310. 

Step 308: A signal or data "authenticated" is outputted. 

Step 309: The first elliptic point (x 1 , yi ) is outputted, whereon the processing proceeds to a step 31 1 . 

Step 310: "Not authenticated" is outputted 

50 Step 311: The processing is then terminated. 

Through the processing described above, it can be confirmed whether or not the single or simple digital signature 
(r 1 , is a correct signature, i.e., whether or not the single digital signature (r 1( s^ corresponds to the correct or true 
seal image. More specifically, upon reception of the message M 1 and the single or simple digital signature (r 1( 6^, the 
£5 user B (or user B's computer) checks to confirm the authenticity of the digital signature by referencing the public key Q 1 
which corresponds to the registered seal ("hanko"). 

. Figure 4 is a flow chart for illustrating a processing tor the duple digital signature generation algorithm (AL2) 1 07 in 
conjunction with the system shown in Fig. 1. Description will now be made by reference to Fig. 4. 
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Du ple Digital S ionatira Generation Algorithm f Al?) 107 



Step 40 1 : Processing is started. 

Step 402: User B's addition or comment (M2) 1 14, the base point (or system key) (P) 1 19 and the user B's private 

Key (da) 121 are inputted. 

Step 403: The first point fa . yi) on the elliptic curve outputted in the step 309 is fetched. 

Step 404: A random number kg of bits is generated. 

Step405: Apoirt(x,y)«k2Pisconputed. 

Step 406: A second point (Xg, y^ - (x 1 , y^ + (x, y) is computed. 

Step 407: Hash value r 2 * hfxg) of bits is computed. 

Step 408: Hash value 62 * HfMa) of 'h bits is computed. 

Step 409: Computation for determining a tally given by s 2 - ^ + kg + d^ + '1 + '2) (™od n) is performed. 

Step 410: Value of the duple digital signature ft, r 2 , s^) 1 13 is outputted. 

Step 41 1 : The processing comes to an end. 

The duple digital signature ft. r 2 , 62) generated through the processing described above corresponds to the seal 
image impressed on a whole document prepared by adcfing the user B's comment or addition (M^ 1 1 4 to the message 
(Mi ) 1 1 0 created by the user A and affixed with the single digital signature ft . ) 1 1 1 . More specifically, when the mes- 
sage M 1 created by other person (user A) and affixed with the other person's single digital signature or the user As sin- 
gle digital signature ft , s,) in the case of the fllustrated example is received by the user B and when the user B wants 
to add the comment M 2 . the duple digital signature ft. r 2 . 62) is generated, which incficates that the seal is impressed 
for the whole document by using the private key d 2 corresponding to the seal which only the user B possesses. 

Figure 5 is a flow chart for illustrating a processing tor a duple digital signature verification algorithm (AL 2 ') 108 in 
conjunction with the system shown in Rg. 1 . Description will now be made by reference to Fig. 5. 

Dunle Digital Signature Verification Alcmrithm ( Ai^Ti 108 

Step 50 1 : Processing is started. 

Step 502: The user A's created document (M t ) 115, the user B's added comment or addition (M2) 114, and the 

duple digital signature ft , r 2 , &a) 1 13 are inputted. 
Step 503: The base point or system key (P) 122, the user A's public key (Q0 123 and the user B's.pubiic key (Cfe) 

124 are inputted. 
Step 504: A hash value e 1 = HfM^ of / H bits is computed. 
Step 505: A hash value &2 8 H ( M 2) of l H bits is computed. 

Step 506: A second elliptic point given by (x 2 , m $2^ ~ ( e i + r i)Qi • (62 + r i ^2)^2 is computed. 
Step 507: A numerical value r 2 ' & h(x£ is computed. 

Step 508: When r 2 = r 2 ', the processing proceeds to a step 509. and if otherwise, to a step 51 1 . 
Step 509: A signal "authenticated" is outputted. 

Step 510: The second elliptic point (x 2 , y 2 ) is outputted, whereon the processing proceeds to a step 512. 
Step 511: A signal or data "not authenticated" is outputted. 
Step 51 2: The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the duple digital signature ft, r 2 , s 2 ) is a 
correct signature, i.e., whether or not the duple digital signature ft , r 2 , Sg) corresponds to the correct or true seal image. 
More specifically, upon reception of the message M v message M 2 and the duple digital signature ft, r 2 , s 2 ), the user 
C checks to confirm that the digital signature is made authentically by the very users A and B by referencing the public 
keys Q-, and Q 2 which correspond to the registered seals. In that case, the user C can confirm the authenticity of the 
digital signature without using either the private key d t corresponding to the user A's seal or the private key d 2 corre- 
sponding to the user B's seal. 

In the foregoing, generation of the duple digital signature by using two private keys d 1 and d 2 has been described 
as an exemplary embodiment of the invention. In this conjunction, it should be mentioned that the principle underlying 
the digital signature generating/verifying method described above can be extended in general for the generation of an 
N-tuple digital signature generated by using N private keys d-i , d 2 , .... d^. 

Figure 6 is a block diagram shewing a computer network configuration according to another embodiment of the 
invention on the assumption that the system is expanded so as to enable triple digital signatures, i.e., N = 3. Referring 
to the figure, there are newly connected to the network 101 , a user D's personal computer 606 in addition to the user 
A's personal computer 1 02, the user B's personal computer 1 03 and the user Cfc personal computer 1 04. Set up newly 
in the user C's personal computer 104 in addition to the dual digital signature verification algorithm (AL 2 ) 108, the sys- 
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tern Key or base point (P) 122, the user A's public key (Qi) 123 and the user B's public key (Cfe) 124 are a triple digital 
signature generation algorithm (ALq) 604 and a user C's private key (da) 60S. The user CTs personal computer 1 04 cre- 
ates a user C's issued document 601 and sends it to the user D's personal computer 606. The user C's issued docu- 
ment 601 contains newly a user C's addition or comment (M3) 603 and users A's. B's and C's signatures (r 1( r 2 , r 3 . s 3 ) 
602 in addition to the user A's created document (Mi) 613, the user B's addition such as a comment (M^ 614 and a 
user A s and B's signatures (r v r 2 , 65) 612. Set up in the user D's personal computer 606 are a triple cfgital signature 
verification algorithm (AL3') 607, a base point (P) 608, the user A's public key (Q1) 609, the user B's pubOc key (Q 2 ) 61 0 
and the user C's public key (Q3) 61 1 . 

Figure 7 is a flow chart for illustrating a processing for the triple digital signature generation algorithm ( AL 3 ) 604 
executed by the user C's personal computer 104 shown in Fig. 6. 

* 

Tririle Digital Sig nature Generation Algorithm (ALj) 604 
Step 701: Processing is started. 

Step 702: The user C's addition or comment (M3) 603, the private key (03) 605, the base point (P) 122 and the duple 

digital signature (r 1f r 2 , $2) 612 are inputted. 
Step 703: Second elliptic point (x 2 , y^i outputted in the step 510 is fetched. 
Step 704: A random number k3 of /h bits is generated. 
Step 705: A point k 2 P - (x, y) is computed. 
Step 706: Coordinates (x 3 , y^ * (x 2 , y2) + (*, y) are computed. 
Step 707: A hash value r 3 » h(x 3 ) of 1^/2 bits is computed. 
Step 708: A hash value 63 « H(M 3 ) of / H bits is computed. 
Step 709: A tally s 3 » Sz + kg + 0^(63 + + r 2 + r 3 ) (mod n) is computed. 
Step 710: Value otthe triple digital signature (r 1t r 2 , r 3 , S3) 602 is outputted. - 
Step 411: The processing is terminated. 



The triple digital signature (r 1 , r 2 , r 3 , S3) generated through the processing described above corresponds to the seal 
image impressed on a whole document obtained by adding the user C's comment or addition M 3 to the messages M 1 
and M2 affixed with the users A and B's multiple digital signatures (r 1( r 2 , S2). More specifically, when the messages M 1 
and M 2 affixed with other users' multiple digital signature (i.e., the users A's and Bs' multiple cfigital signatures in the 
case of the illustrated example) (r 1t r 2 , s^ are received by a user (i.e., user C) and when the user C wants to add the 
comment M 3 , the triple digital signature (r t , r 2 , r 3 , S3) can be generated for the whole document created by the users A 
and B and added with the comment M 3 by the user C only by using a private key d 3 corresponding to the seal which 
only the user C possesses. 

Figure 8 is a flow chart tor illustrating a processing for the triple digital signature verification algorithm (AL 3 ') 607 
executed by the user D's personal computer 606 in conjunction with the system shown in Fig. 6. Description will now 
be made by reference to Fig. 8. 



Triple Digital Signage Verification Algorithm (Alg) 607 



Step 801 
Step 802 

Step 803: 

Step 804 
Step 805 
Step 806 
Step 807 

Step 808 
Step 809 
Step 810 
Step 811 
Step 812 
Step 813 



Processing is started. 

The user A's created document (M-)) 613, the user B's addition or comment (M2) 614, the user C's addition 

or comment (M 3 ) 603 and the triple digital signature (r 1 , r 2 , r 3 , S3) 602 is inputted. 

The base point (P) 608, the user A's public key (C^) 609, the user B's public key (Q 2 ) 610 and the user 

C's public key (Q 3 ) 611 are inputted. 

A hash value e 1 = H(M<|) of l H bits is computed. 

A hash value 03 = H(M 2 ) of *h bits is computed. 

A hash value e3 = H(M 3 ) of /h bits is computed. 

A third point on the elliptic curve, i.e., a third elliptic point (x 3 , y 3 ) ■ s 3 P - (e 1 + r^Q-, - (e^ + r 1 +r 2 )Q 2 -(63 
+ h +r 2 + r 3) Q 3 is computed. 
Tally r 3 ' = h(x 3 ) is computed. 

When r 3 * = r 3 , the processing proceeds to a step 810, and if otherwise, proceeds to a step 612. 
Signal "authenticated" is outputted. 

The third elliptic point (x 3 , y 3 ) is outputted, whereon the processing proceeds to a step 813. 
Signal "not authenticated" is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the triple digital signature (r 1( r 2 , r 3 , s 3 ) is 
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a correct signature, i.e., whether or not the triple digital signature (r 1t r 2 , r 3 , 63) corresponds to the correct or true seal 
image. More specifically, upon reception of the message M^ the message M2, the message M3 and the triple digital 
signature (r 1( r 2 , r 3> $3), the user D can check to confirm whether or not the digital signatures have been made by the 
very users A, Band C by referencing the public keys Q1 , Cfe and Q3 which correspond to the registered seals fhanto") 
of the users A, B and C, respectively. 

The above-mentioned digital signature generation/verification method can be expanded to the case where N is 
equal to or greater than "4" (four). In other words, in general, a digital signature generating/verifying method for verifying 
electronically a multiple digital signature affixed to messages and/or comments Mj created and/or added by N users (i 
8 1 N) can be carried out in general as follows: 

Prnrariure far Verifying Multiple Digital Signature bv Users I (2 Z \ Z N) 

Processing is started. 

The (i - 1 ) messages or comments ML, M M and the (i- 1)-tuple cfigrtaJ signature (r, r^-, , s M ) issued 

by an immediately preceding user (i • 1) are received. 

Computation of a hash value e* * H(Mk) is repeated for the user (i - 1) starting from k = 1. 
Public keys 0* previously generated for satisfying 0* ■ c^P and registered are inputted repetitionally for 
the user (i - 1 ) starting from k « 1 . 

A point (x^, y M ) on the efliptic curve given by the following expression (5) is computed. 

i-i * 

A-1 M-1 



Step 906: A hash value r M ' ■ h(X).f) is computed. 

Step 907: When r h1 = r M \ then data or signal indicating "authenticated" is issued. 

Step 908: Point (Xj. 1( y M ) on the efliptic curve is outputted, whereon the processing proceeds to a step 910. 

Step 909: If r M * r^ \ data ircf eating "not-authenticated'' is issued. 

Step 910: The processing comes to an end. 



In other words, the digital signature generation/verification method for generating electronically the multiple digital 

signature affixed to messages and/or comments (i.e., document) Mj created or added by N users fi = 1 N) can be 

performed as follows: 



Generation Procedure of Multiple Digital Signature bv Users \(2<, \<,N\ 



Step 1 001 : Processing is started. 

Step 1 002: The point (x M , Y h1 ) obtained at the step 908 is inputted. 

Step 1 003 : A hash value e, = H(Mj) is computed. 

Step 1 004: A random number kj is generated. 

Step 1005: . Point kjP = (x, y) is computed. 

Step 1006: Point (Xj, yj = (x^, Y M ) + (x, y) are computed. 

Step 1007: A hash value r 1 « h(Xj) is computed. 

Step 1008: By using private keys d (t the tally Sj given by the following expression is determined. 



S/ b «m +*/ + <*/ (e,+ X 'JOwd") 



Step 1 009: A set of the numerical values (r t , rj &{) is outputted as the digital signature. 

The embodiments of the invention described by reference to Pigs. 3 to 5 are directed to the multiple digital signature 
realized by making use of the addition defined on the elliptic curve. However, in general, such multiple digital signature 
can equally be realized by resorting to binary operation defined on the abelian group. 

By way of example, in a set Z„ of integers from "1" to "n - 1' (where n represents a large prime number on the order 
of 1 ,000 bits), multiplication is defined in the world of modulo n. Then, z n represents an abelian group. The base point 
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P (1 < P < n) is selected appropriately with the private key d and the public key Q being so selected that the following 
relation can apply valid: 

— - - v Q« P d (mod n) rn>~-^ -^-^i .? r — ■: ■•■ (1) 

In conjunction with the above expression (1), it is noted that the problem of determining d for given values of Q. P 
and n represents a discrete logarithm problem which is difficult to solve in view of the computational overhead when the 
value of n is large. - . - .... ...... 

On the presumption mentioned above, the single digital signature generation algorithm (Al^) 105 described previ- 
ously by reference to Fig. 2, for example, is modified as follows: 

Single Digital Signature Generation Algorithm (AL^ 



Step 201 
Step 202 
Step 203 
Step 204 
Step 205 
Step 206 
Step 207 
Step 208: 
Step 209: 



The processing is started. 

The user A s created document , the base point P and the private key d1 are inputted. 
A random number or integer ki of / H bits is generated. 
Computation is performed for determining ■ P*i . 
A hash value r t » h(x t ) of 1^/2 bits is computed. 
A hash value e 1 « H(M<|) of / H bits is computed. 

Computation is performed for determining the tally s 1 » kj + d 1 (e 1 + rj) (mod n). 
Value of the single digital signature (r lP is outputted. 
The processing comes to an end. 



The single digital signature (r 1t s t ) obtained, being modified as mentioned above, brings about advantageous 
effects similar to those obtained in the digital signature generating/verifying method described hereinbefore by refer- 
ence to Fig. 2. Similar modification of the multiple digital signatures can provide similar advantages as those mentioned 
hereinbefore. 

With the arrangements of the digital signature generating/verifying systems described above, there can be assured 
such advantageous effects as mentioned below. 

(1) It is impossible to forge a digital signature of other person without knowing the other person's private key. Secu- 
rity concerning the forgery prevention of the single digital signature (r 1t s 1 ) will be demonstrated by the proposition 
1 described hereinafter. 

(2) The length of the digital signature can be shortened. By way of example, assuming that the order q is 160 bits 
and that the length of the output value of the total hash function H is 160 bits, then the length of the single digital 
signature in the conventional system is 240 bits. By contrast in the case of the systems according to the invention, 
the length of the single digital signature is 240 bits. Furthermore, the length of the duple digital signature in the con- 
ventional system is 640 bits, whereas in the systems according to the invention, it is only 320 bits. In general, in the 
case where the N-tupie digital signature is affixed, the total length of the digital signatures is of 320 x N bits, 
whereas in the system according to the present invention, it is 160 + 80 xN bits. Thus, when the value of N is large, 
the length of the digital signature according to the invention can be reduced by ca. 1/4 when compared with the sig- 
nature length in the conventional system. In other words, the length of the digital signature can be significantly 
reduced according to the teachings of the invention. 

(3) According to the invention, it is possible to make the length of the digital signature be independent of the length 
of the order n. Assuming now that the length of the output of the total hash function H is sufficiently greater than 
that of the random integer k the length of the tally & of the signature can be suppressed smaller than the length of 
the outputs of the total hash function H plus the length of the private key d- Thus, independent of the length of the 
order n, the length of the N-tuple digital signatures can be made to be not greater than "the length of the output of 
the whole hash function H + private key d + N x length of the output of the half-hash function h\ 



In each of the digital signature generation/verification system according to the embodiment of the invention 
described above, the processing steps of executing the digital signature generating method can be stored in the form 
of a programs in a recording medium such as a CD-ROM, a floppy-disk, a semiconductor memory or the like, wherein 
the program can be loaded and executed in a computer for generating the digital signature for thereby generating the 
digital signature. Similarly, the processing steps included in the input digital signature verifying method can be loaded 
in the computer for the digital signature verification in the form of a program to be executed for verifying the digital sig- 
nature. Needless to say, the digital signature generating/verifying program mentioned above may be down-loaded to cli- 
ent personal computers from the server computer. 
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Lgprima (Subsidiary Preposition) 1 ..: . 

rt is presumed that H represents a hash function having a one-way property, the algorithm AL is not difficult to exe- 
cute in view of the computational overhead and that data generated without resorting to the use of the hash function is 
inputted to thereby generate on a memory in the course of computation the numerical values of 2 and x which satisfy 
the equation "y o H(x)". In that presumed case; the JHjmerical value y can never mate appearance on the memory so 
long as the numerical value & has not made appearance ever on the memory in the past 

Demonstration 

Demonstration will be made by resorting to "reducSo ad absurdum (reduction to absurdity)*' or irrationality. It is 
assumed that the value y satisfying the function y • HM rr)a ^ e appearance on the memory in precedence to the 
value & However, since the hash function.H is of the one-way property, computation for the reverse transformation of 
the hash function H, i.e., x « tf 1 (y) is tmpossfele. Accortfingly, in order to generate the value x on the memory it is nec- 
essary to supply externally such input data from which the value 2 capable of satisfying the hash function y = H(x); 
which however contradicts to the inputting of the data generated without using the hash function H. 

The Demonstration of the lemma 1 is now concluded. 

Proposition 1 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally it is assumed that the hash function H( •) of * H colfision-free property as well as the one-way prop- 

erty. Furthermore, it is presumed that the hash function h( • ) of ltf2 bits has also the one-way property. In that case, 
when / n * i H , there exists no algorithm AL3 which can output in response to the inputting of the base point (system key) 
P and the public key Q 1 the message M 1 and the single digital signature (r 1t s 1 ) for which the algorithm AL1 outputs 
"authenticate" so long as the private key d 1 is unknown. 

Demonstration 

Now, it is supposed that such algorithm AL3 exists which can output in response to the inputted system key or base 
point P and the public key Q 1 , the message M t and the single digital signature (h , for which the verification process- 
ing AL 1 ' outputs "authenticate" without knowing the private key d 1 . More specifically, it is supposed that such algorithm 
AL 3 exists for which the inputs and the outputs are as follows: 

Input to the algorithm AL 3 : 

system key (base point) P. and public key Q 1 

Output from the algorithm AL 3 : 

message M 1( single digital signature (r,, s^ 

where the message M 1 and the single digital signature (r 1 , Si) satisfy the following conditions: 

(x^^-s^-fe^r^ (2) 
r,-^) (3) 
• i-HfM,} (4) 

tt should be noted that / n £ i H holds true. 

On the conditions mentioned above, the number of the outputs from the algorithm AL 3 is three, i.e., M 1 , s 1 and r 1 . 
Accordingly, in the course of the processing according to the algorithm AL 3 , the correct output values make appearance 
in either one of the orders or sequences mentioned below: 

Case 1 : Correct output values make appearance in the sequence of S! , r 1 and Mi . 

Case 2 : Correct output values make appearance in the sequence of r 1 , s ! and My . 

Case 3 : Correct output values make appearance in the sequence of s 1 , M<j and n . 

Case 4: Correct output values make appearance in the sequence of M v ^ and ^ . 

Case 5: Correct output values make appearance in the sequence of rj , M t and . 

Case 6 : Correct output values make appearance in the sequence of M t , r, and s t . . 



EP 0 840 478 A2 



In the cases 1 and 2 mentioned above, the correct output values ofs 1 andr 1 make appearance in precedence with 
the correct value of the message M 1 making no appearance at a given time point in the course of the processing. Since 
b in the expression (3) represents the hash function, the correct output value of the tally xj mist make appearance in 
precedence to that of the tally h in the light of the "Lemma 1" stated previously. When the value of the tally x t is deter- 

5 mined the value of the tally y 1 assumes either one of two values ±p because the term {x, . y t ) in the expression (2) rep- 
resents a point on the elliptic curve E. In correspondence to the value +p or -p of the tally y 1( the hash value which 
can satisfy the condition given by the expression (2) is limited to two different values. After the time point of concern, 
the message M 1 satisfying the condition given by the expression (4) so that the hash value e 1 assumes either one of 
the two value must be determined, which however contradicts to the fact that "H" in the expression (4) represents the 

w hash function. Accordingly, the situations corresponding to the Cases 1 and 2 can not take place. 

In the Cases 3 and 4 mentioned above, the correct output value of s 1 and the message Mi make appearance in 
precedence with the correct value of the correct output value ^ making no appearance at a given time point in the 
course of the processing. At this time point the hash value e-i can be determined definitely in accordance with the 
expression (4). After this time point the value of the tally r 1 satisfying the conditions given by the egressions (2) and 

is (3) must be determined. However; it will never occur that the correct output value of the tally ^ makes appearance at 
first, being followed by determination of the value for the coordinate x v This is because "h" in the expression (3) repre- 
sents the hash function. Besides, such case will not occur in which the correct output value of x<j makes appearance in 
precedence and thereafter the value of ^ is determined. Because, if otherwise, the discrete logarithm problem concern- 
ing the addition on the ellipse can be solved in conjunction with the expression (2), which contradicts the proposition 

20 stated hereinbefore. In other words, the value of r t can not be determined at any time point. Thus, the situations corre- 
spondng to the Cases 3 and 4 can not occur. 

In the Cases 5 and 6 mentioned above, the correct output values of the tally ^ and the message M 1 make appear- 
ance in precedence with the correct value of the tally St making no appearance at a given time point in the course of 
the processing. At this given time point, the hash value e t can be determined definitely in accordance with the expres- 

25 sion (4). After this time point, the value of the taBy satisfying the conditions given by the expressions (2) and (3) must 
be determined. However, it will never occur that the correct output value of the taBy s 1 makes appearance at first, being 
then followed by determination of the value for the coordinate Xj . This is because V in the expression (3) represents 
the hash function and the correct output value of x-i can make appearance before the output value of n is determined 
precedingly. Besides, such case will not occur in which the correct output value of x t makes appearance in precedence 

30 and thereafter the value of is determined. Because, if otherwise, the expression (2) can be solved concerning the 
unknown , that is, the discrete logarithm problem concerning the addition on the ellipse can be solved, which contra- 
dicts however the proposition stated hereinbefore. In other words, the value of s 1 can not be determined at any time 
point. Thus, the situations corresponding to the Cases 5 and 6 can not occur. 

Thus, there occurs none of the situations corresponding to the Cases 1 to 6 mentioned previously. Thus, the algo- 

35 ritrim AL 3 does not exist. 

Now. the demonstration is concluded. 

By the way, it should be noted that in conjunction with the demonstration of the Proposition 1 that the algorithm AL 5 
may exist unless the Proposition 1 that / n £ / H applies valid. 

To say in another way, if the concfition l n < / H should hold true, there may arise such situation that the message M 1 
40 and the single digital signature (r 1f si) for which the single digital signature verifying algorithm ALV outputs "authenti- 
cated" can be generated without knowing the private key d* 

By way of example, let's suppose that in the computation "s - k + d(r + e) (mod n)", the value of / n is small and 
hence the value of n is small. Then, the collision-free property of hash value £ = H(M) (mod n) may collapse, incurring 
such case where computation is performed such that the tally £ can assume a same value for messages M and M* not- 
45 withstanding of the fact that the message M is not same as the message M', i.e., M * M*. as exemplified below. 

Let s suppose, by way of example, that the messages M and M' are written applications for purchasing a car. 



50 



12 



EP0840478A2 



Message M ......... . . ..■ :J-.i , 

To FT J#&»GH Sales Company . , 

I will purchase the car A at 1,050,000 yens. 



To be signed bv Takaragi 



Message M' . v , 

To IG#. Hy8(Jk) Sales Company 

I will purchase the car A at 2,050,000 yens. 

To be signed bv Takaragi 



Again suppose that the malicious sales company prepared the written application for purchase such as the mes- 
sage M and handed it over to Mr. Takaragi under the false pretense that the leading character string "FT J# * GhT is 
added for the purpose of ensuring security and that Mr. Takaragi signed the written application (message M) with pleas- 
ure because of low price of the car A. Later on, Mr. Takaragi receives a bill demanding payment of 2*050,000 yens 
together with the exhibit of the message M' affixed with his signature to his great surprise. However, verification of the 
message M' shows that Mr. Takaragi has signed the written application or message M\ 

In order to exclude positively the injustice such as mentioned above, it is necessary that H represents the hash 
function which has not only the one-way property but also the collision-free property and that the parameter o relevant 
to the elliptic curve relation is assigned with a large value for validating the condition that / n £ t^. 

It should be additionally mentioned in conjunction with the "Demonstration" described above that the hash function 
h may be only of the one-way property and need not necessarily have the collision-free property. However, in case the 
hash function h is not of the one-way property, the values which can satisfy the condition given by the expression (3) 
may be found by arithmetically determining a variety of values tor x by changing & and M while fixing i in the expression 
(2). The message M and the signature (s, r) found in this way may constitute forged message and signature. For this 
reason, it is necessarily required that the hash function h is of the one-way property. 

Moreover, according to the teaching of the invention, the length of the digital signature can be shortened. 

More specifically, the single digital signature (r 1( s,) has a bit length equal to / n + 1 H I2 (e.g. 240 bits), and thus the 
length of the signature can be shortened when compared with the conventional signature length l n + l n (e.g. 320 bits). 
Furthermore, the length of the duple digital signature (r 1( r 2 , S2) is (/ n + / H /2 + l^fZ) bits (e.g. 320 bits), which is signif- 
icantly shorter than the length of the conventional signature l n + / n + t n (e.g. 480 bits). 

Proposition 2 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally, it is assumed that the hash function H( • ) of *h bits has the collision-free property as well as the one-way 
property. Furthermore, it is presumed that the hash function h( * ) of LyfZ bits has the one-way property as well . In that 
case, so long as l n 2 £ H , there exists no algorithm AL4 which can output the duple digital signature (r n , r 2 , s 2 ) for which 
the algorithm AL 2 outputs "authenticated" without knowing the private key d v 

Demonstration 

Now, it is supposed that such algorithm AL4 exists which generates the duple digital signature (r 1( r 2 , S2) for which 
the verification processing according to the algorithm AL 2 ' outputs "authenticated" without knowing both the private key 
d 1 and the private key c^. Namely presumption is made as follows: 

Input to the processing AL4: 

system key (base point) P t and public keys Q 1 and Q 2 , and 
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Output from the processing AL<: r::L;;::rrU • :*v~r ' "j ii 1 ■ ' i . ■ 

messages M 1 and duple digital signature (r 1( r 2 , 62), - «■ ■ -- v ^ \ :: - 

where the duple digital signature (r t , r 2? 62) satisfies the foUcwing.conditions: ; - ■ -v 

e^HfM,) (4) 

e 2 «H(M 2 ) r. (5) 

(X2.y 2 )«s 2 P-(e 1 +r 1 )Q 1 -(e 2 +r 1 +r 2 )Q 2 (6) 

~ r 2 «h(x 2 ) (7) 

In the course of executing the processing according to the algorithm AL*, the correct output values make appear- 
ance in either one of the sequences mentioned below: 



Case 1 : Correct output values make appearance in the sequence of 63, r 1 and r 2 . 

Case 2: Correct Output values make appearance in the sequence of r 1( S2 and r 2 . 

Case 3 : Correct output values make appearance in the sequence of 83, r 2 and r 1 . 

Case 4: Correct output values make appearance in the sequence of r 2 , s 2 and r, . 

Case 5: Correct output values make appearance in the sequence of r 1 . r 2 and &2. 

Case 6: Correct output values make appearance in the sequence of r 2 , r 1 and s^ 

In conjunction with the Case 1 to 6 mentioned above, it is noted that the computation sequence that the correct out- 
put value of the tally r 2 is determined in accordance with the expression (7) only after the correct output value of the 
coordinate x. has made appearance is common to all the Case 1 to 6. If otherwise, it contradicts the presumption that 
the hash function h is of the one-way property. 

Additionally, the computation sequence that the hash values e-i and e 2 are determined in accordance with the 
expressions (4) and (5), respectively, only after the correct output values of the messages and M 2 have made 
appearance is also common to the all the aforementioned Cases 1 to 6. If otherwise, it contradicts the presumption that 
the hash function H is of the one-way property and collision-free. 

In the Cases 1 and 2, the correct output values of the tallies $2 and r 1 make appearance at first at a given time point 
in the course of executing the processing whereas the correct output value of the tally r 2 makes no appearance. After 
the above-mentioned given time point, the tally r 2 which satisfies the condition given by the expression (6) must be 
determined, in this conjunction, however, the following facts (a), (b) and (c) have to be taken into account 



(a) Such situation does not occur in which the correct output value of the tally r 2 makes appearance finally after the 
appearance of the correct hash values e 1 and 63. More specifically, the computation sequence in this case will be 
such that the value of the coordinate x 2 is determined and then the tally r 2 determined. However, this means that 
the equation (6) can be solved with the tally r 2 as the unknown, which contradicts the presumption that the discrete 
logarithm problem on the elliptic curve is insolvable. 

(b) Such situation can not occur that the correct hash value 03 is outputted only after the appearance of the correct 
output values for the hash value and the tally r 2 , because, if otherwise, the equation (6) is solved with the hash 
value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic 
curve is insolvable. 

(c) Such situation can not occur that the correct output value for the hash value e 1 makes appearance only after 
the appearance of the correct output voltages for the hash value e 2 and the tally r 2 , because, H otherwise, the equa- 
tion (6) is solved with the hash value 62 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. 

In the Cases 3 and 4, the correct Output values of the tallies 83. r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing, whereas the correct output value of the tally r 2 makes no appearance. 
After the above-mentioned given time point, the tally r t which satisfies the condition given by the expression (6) must 
be determined. Such situation does not occur in which the correct output value of the tally r 1 makes appearance finally 
after the appearance of the correct hash values e-i and e 2 . Supposing that the correct output value for the hash value 
e 2 makes appearance finally, then it follows: 



(i) If the private keys d, and d 2 are known, the expression (6) can be modified as follows: 
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(x 2( y 2 )»{62-di(ei^i)} p -(«2+fi+ r 2)Q2 ( 8 ) 

The above equation (8) is solvable with a tatty r 1 as the untaiown, which of course contradicts the presumption that 
the discrete logarithm problem on the elliptic curve is insolvable. - ■ - ^.m. - 

(ii) If the private key cfe is known with the private key d 1 being unknown, the expression (6) can be modified as fol- 
lows: - - - 

(x 2 .y 2 )»{S2-d 2 (e fi +r 1 +r 2 )}P-(e 1 +r 1 )Qi < 9 > 

The above equation (9) is solvable with the tally rj as the unknown, which is in contradiction to the presumption that 
the discrete logarithm problem on the elliptic curve is solvable. 

(iii) When neither the private key d 2 nor the private key dj is known, the equation (6) is solvable with the tally r 1 as 
the unknown, which is in contradiction to the presumed insoivabiBty of the discrete logarithm problem on the elliptic 
curve. 

In view of the foregoing, it can be concluded that the correct output value for the tally r-j cannot make appearance 
finally after the output of the correct hash values e-f and eg. 

(b) Such situation can not occur that the correct output value for the hash value e r makes appearance only after 
the appearance of the correct output voltages for the hash value e 1 and the tally r 1t because, if otherwise, the equa- 
tion (6) is solved with the hash value as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. 

(c) Such situation can not occur that the correct output value for the hash value e, makes appearance only after 
the appearance of the correct output voltages for the hash value e 1 and the tally r 1t because, if otherwise, the equa- 
tion (6) is solved with the hash value 02 as the unknown, which of course contracficts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. Thus, Cases 3 and 4 can not occur. 

In the Cases 5 and 6, the correct output values of the tallies r 1( r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing whereas the correct output value of the tally &2 makes no appearance. 
After the above-mentioned given time point the tally hz which satisfies the condition given by the expression (6) must 
be determined. In this conjunction, however, the following fads (a), (b) and (c) have to be taken into account. However, 
in that case, (a) such situation does not occur in which the correct output value of the tally &2 makes appearance finally 
after the appearance of the correct hash values e<i and e 2 . Because, this means that the equation (6) can be solved with 
the tally s 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic curve 
is insolvable. Further, (b) such situation can not occur that the correct hash value eg is outputted only after the appear- 
ance of the correct output values for the hash value e 1 and the tally Sj, because, if otherwise, the equation (6) is solved 
with the hash value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the 
elliptic curve is insolvable. Furthermore, (c) such situation can not occur that the correct output value for the hash value 
e 1 makes appearance only after the appearance of the correct output voltages for the hash value eg and the tally s 2 , 
because, if otherwise, the equation (6) is solved with the hash value e^ as the unknown, which of course contradicts the 
presumption that the discrete logarithm problem on the elliptic curve is insolvabla Thus, Cases 5 and 6 can not occur. 

From the foregoing, it is concluded that none of the Cases 1 to 6 can occur ami thus the algorithm AL4 does not 
exist. 

Now, the demonstration is concluded. 

As will now be appreciated from the foregoing description, there have been provided a public key encryption 
method of high security and a system for carrying out the same. 

Further, with the public key encryption method and the system according to the invention, the length of the digital 
signature can be shortened. 

Additionally, according to the present invention, the public key encryption method and the system can be so real- 
ized that the length of the digital signature has no dependency on the length of the order of the base point (system key). 

Many features and advantages of the present invention are apparent from the detailed description and thus it is 
intended by the appended claims to cover all such features and advantages of the system which fall within the true spirit 
and scope of the invention. Further, since numerous modifications and combinations will readily occur to those skilled 
in the art, it is not intended to limit the invention to the exact construction and operation illustrated and described. 
Accordingly, all suitable modifications and equivalents may be resorted to, falling within the spirit and scope of the inven- 
tion. 
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Claims 

1. A digital signature generating method for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e « H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r « h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and J ' 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined: ~ _ ~ : „ _ 

2. A digital signature generating method according to claim 1 , 

wherein for generating a digital signature (r 1 , s^ for a given message (Mj), said method comprises the steps 

of: 

determining a hash value (e^ satisfying a condition that e t - H(Mi) by using a first hash function (H); 
generating a random number (k-,); 

determining a point (R 1 (= ^P)) by multiplying a point (P) of an abelian group by said random number (k^; 

determining a first numerical value (r t ) satisfying a condition that ^ » h(R<,) by using the second hash function 

(h) whose output value is shorter than the output value of the first hash function (H); 

determining a second numerical value (Si) satisfying a condition that Si ■ ki + di (e 1 + h) (mod n) by using the 

order (n) of said point (P) of said abelian group and a private key (dj); and 

outputting a set of said determined numerical values (r v s-\) as a digital signature. 

3. A digital signature generating method according to claim 1 , 

wherein said point (P) of said abelian group corresponds to a base point (P) on an elliptic curve. 

4. A digital signature verifying method for verifying a cfigHal signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a f rst hash value (e) satisfying a condition that e «= H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (P) a second hash value (f) satisfying a condition that r* = h(x) from said first 
hash value (e), said digital signature (r, s), said base point (P) and said public key (Q) by using a second hash 
function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value (r*) with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

5. A digital signature verifying method according to claim 4, 

wherein for verifying a digital signature (r 1 , s 1 ) of a given message (M 1 ), said method comprises the steps of: 

determining a hash value (e^ satisfying a condition that e 1 « HfM^; 

inputting a public key (GO generated previously so as to satisfy a condition Q 1 «= d^, where di represents a 
private key said public key (Q<,) having been registered; 

determining arithmetically a point (R^ of an abelian group, said point (R 0 being given by = $<\P - (e 1 + 
ri)Qi: 

determining a hash value (r^ satisfying a condition that r{ a h(R«,); 

outputting a data indicating that said digital signature is authenticated, when said hash value (r,*) coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value (r^) coincides 
with said tally (r^ of said digital signature. 

6. A digital signature verifying method according to claim 5, 

wherein said abelian group includes an elliptic curve. 
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7. A digital signature generating method for generating a nuftiple digital signature authenticating electronically signa- 
tures affixed to messages and/or comments (MJ as created and/or added sequentially by N users i (where i « 1 

N) by using a public key encryption scheme, comprising the steps of: 

(a) determining for a given one of said messages (MJ a first hash value (ej) satisfying a condition that e t = H(Mj) 
by using a first hash function (H); (b) determining for a numerical value CO obtained 
from translation of a random number a second hash value (n) satisfying a condition that r ( « h(x$ by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said computation steps (a) and (b) for each of said users i (where i - 1 N); and 

(d) determining arithmetically said rnultiple cfigrtal signatures on the basis of the hash values (e, and n) deter- 
mined in said execution step (c). 

8. A multiple digital signature generating method according to claim 7, 

wherein for generating said multiple digital signature by users i 0 * 2), said method comprises the steps of: 

inputting a set of numerical values (xm. Y m ) obtained from translation of random numbers; 

computing a hash value e; * H(Mj) ; 

generating a random number K; 

computing a point kjP » ( X( y); 

computing a point (x, yj « (x^, y M ) + (x, y); 

computing a hash value r f « h(Xj) ; 

determining by using a private key (dj) a tally (stf satisfying a condition given by following expression: 
s f o s M + k f + d, (e, + X r k) ( mod n ) : 

*-1 



and 

outputting a set of numerical values (r v .... r jt sj as said multiple digital signature. 

9. A digital signature verifying method for verifying a multiple digital signature authenticating electronically signatures 

affixed to messages and/or comments (Mj) as created and/or added sequentially by N users i (where i = 1 N) 

by resorting to a public key encryption scheme, comprising the steps of: 

(a) determining tor the inputted message (MJ a first hash value (ej satisfying a condition that e-, = H(Mj) by 
using a first hash function (H) ; 

(b) determining for a numerical value (xj obtained by arithmetic operation of an inputted multiple digital signa- 
ture (r, Sj) ( a public key (Q) and a base point (P), a second hash value (r{) satisfying a condition that r,' = h(xj 
on the basis of said first hash value (e^), said cfigrtal signature (r it s^, said base point (P) and said public key (Q) 
by using a second hash function (h) whose output value is short a* than that of said first hash function (H); 

(c) executing said steps (a) and (b) for each of said users i (where i represents integers "1" to "NT inclusive, 
respectively); and 

(d) comparing each of said hash values (r,') determined in said step (c) with each of tallies (r) of said inputted 
multiple digital signature to thereby obtain results of verification of said inputted digital signature. 

1 0. A multiple digital signature verifying method according to daim 7 t 

wherein for generating a multiple digital signage by users i (i £ 2), said method comprises the steps of: 

inputting (i - 1) messages and/or comments (M 1 M h1 ) and (i - 1)-tuple digital signature (r 1 r M , s^) 

issued by an immediately preceding user (i - 1); 

repeating computation of hash values e H(Mfc), where Is represents 1 to (i • 1); 

inputting repetitionalfy public keys Q* generated so as to satisfy a condition that 0* * c^P and registered pre- 
viously, where k represents 1 to (i - 1); 
computing a point (R^) of an abelian group in accordance with 
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M * 
*«1 M.I 

computing a hash value r' M B h(FVi) > 

issuing data indicating "authenticated" when said hash value (r^ 1 ) coincides with a tally (r^) of said (i - 1) -tuple 
digital signature (i.e., when r^' - r M ) ; and 

issuing data indicating "not-authenticated" unless said hash value (r M *) coincides with said tally (r M )(i.e„ when 

1 1 . A digital signature verifying method according to daim 1.0. 

wherein said abelian group includes an elliptic curve. 

12. A digital signature generating system for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption schema comprising: 

processing means for determining for said message (M) a first hash value (e) satisfying a condition that e «= 
H(M) by using a first hash function (H); 

processing means for determining for a numerical value (x) obtained from translation of a random number a 
second hash value (r) satisfying a condition that r » h(x) by using a second hash function (h) whose output 
value is shorter than that of said first hash function (H); and 

arithmetic/output means for arithmetically determining and outputttng said digital signature by using said first 
hash value (e) ami said second hash value (r) as determined. 

1 3. A digital signature generating system according to claim 12, 

wherein for generating a digital signature , s t ) for a given message (M t ) t said system comprises: 

means tor determining a hash value (e^ satisfying a condition that e 1 « HM) by using the first hash function 

(H); 

means tor generating a random number (k^; 

means for determining a point (Ri (= k^P)) by multiplying a point (P) of the abelian group by said random 
number (kj); 

means for determining a first numerical value (r-,) satisfying a condition that r 1 * hfR^ by using the second 

hash function (h) whose output value is shorter than that of said first hash function (H); 

means for determining a second numerical value (s^ satisfying a condition that ■ k t + d 1 (e-, + r-,) (mod n) 

by using order (n) of said point (P) of the abelian group and a private key (d-,); and 

means for outputting a set of said determined numerical values (r 1( s^) as a digital signature. 

14. A digital signature verifying system according to claim 13, 

wherein said abelian group corresponds to an elliptic curve 

15. A digital signature verifying system for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining tor said given message (M) a first hash value (e) satisfying a condition 
that e = H(M) by using a first hash function (H); 

second arithmetic means coupled to said first arithmetic means tor determining for a numerical value (x) 
obtained from arithmetic operation of an inputted digital signature (r, s), a public key (Q) and a base point (P) 
a second hash value (r*) satisfying a condition that r' * h(x) from said first hash value (e), said digital signature 
(r, s), said base point (P) and said public key (Q) by using a second hash function (h) whose output value is 
shorter than that of said first hash function (H); and 

verification result output means coupled to said first and second arithmetic means for comparing said hash 
value (0 with a tally (r) of said inputted digital signature to thereby obtain a result of verification of said inputted 
digital signature. 

1 6. A digital signature verifying system according to claim 15, 

wherein for verifying a digital signature (r 1t Sj) of a given message (M^, said system comprises: 
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means for determining a hash value (e^ satisfying a condtion that e 1 « H(M,); 

means for inputting a public key (Q^ generated previously so as to satisfy a condition Q, « d,P, where d, rep- 
resents a private key, said pifclic key (Q,) having been registered; 

means for determining arithmetically a point (R,) of an abelian group, said point (RO being given by Ri = 
means for determining a hash value ft") satisfying a concfition that r^ « h(R t ); 

means for outputting a data indicating that said digital signature is authenticated, when said hash value ft') 
coincides with a tally ft) of said digital signature; and 

means for outputting data indicating that said digital signature is not authenticated unless said hash value ft') 
coincides with said tally ft) of said digital signature. 

17. A digital signature verifying system according to claim 16, 

wherein said abelian group includes an elliptic curve. 

18. A digital signature generating system for generating a multiple digital signature authenticating electronically signa- 
tures affixed to message and/or comments (Mi) as created and/or added sequentially by N users' units i (where i = 
1 N) by using a public key encryption scheme, comprising: 

first processing means for determining for a given one of said messages (Mj) a first hash value (ej satisfying a 
condition that e = H(Mj) by using a first hash function (H); 

second processing means for determining for a numerical value (Xj) obtained from translation of a random 
number a second hash value (n) satisfying a condition that n ■ h(Xj) by using a second hash function (h) whose 
Output value is shorter than that of said first hash function (H); 

third processing means for executing the processings of said first and second processing means for each of 
said users' units i (where i « 1 , N); and 

arithmetic/output means for determining arithmetically said multiple digital signature on the basis of said hash 
values (e; and r$ determined by said third processing means. 

19. A multiple digital signature generating system according to daim 18, 

wherein for generating said multiple digital signature, each of said users* units i (i 2: 2) includes: 

means for inputting said set of numerical values (xj r1 , Y^) obtained from the translation of random numbers; 
means for computing a hash value given by e- t = H(Mj); 

means for generating a random number k,; means for computing a point given by kjP = 

(x. y); 

means for computing a point given by (x i( y^) « (Xj. 1( y^) + (x, y); 
means for computing a hash value given by t\ = h(xj) 

means for determining by using a private key (dj) a numerical value (Sj) satisfying a condition given by 



K-1 



and 

means for outputting a set of determined numerical values ft r j( Sj) as the digital signature. 

20. A digital signature verifying system for verifying a multiple digital signature authenticating electronically signatures 
affixed to messages and/or comments (Mj) as created and/or added sequentially by N users's unit i (where i = 1 , 
.... N) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining for the inputted message (Mj) a first hash value (e,) satisfying a condition 
that e; = HfMj) by using a first hash function (H); 

second arithmetic means for determining for a numerical value (xj obtained by arithmetic operation of the 
inputted multiple digital signature (r„ Sj), a public key (Q) and a base point (P), a second hash value (r,*) satis- 
fying a condition that r' = h(Xj) on the basis of said first hash value (ej, said digital signature (r jt sj, said base 
point (P) and said public key (Q) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); 
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processing means for executing repetitionaDy the arithmetic operation of said first and second arithmetic 
means lor each of said users's units i (where i represents integers T to "N" inclusive, respectively); and 
verifying means for comparing each of said hash values (rfl determined by said processing means with each 
of tallies (r) of said inputted multiple dgital signature to thereby obtain results of verification of said inputted dig- 
ital signature. 

21 . A multiple digital signature verifying system according to claim 20. 

wherein for authenticating a multiple digital signature by users' units i (i 2: 2), each of said users' units 
includes: 

means for inputting 0 • 1) messages and/or comments M M M ) and (i - 1)-tuple digital signature (n ri. 

1f s hl ) issued by an immediately preceding user's units (i - 1); 

means tor repeating computation of hash values e* ■ HftyJ, where represents 1 to (i - 1 ); 
means tor inputting repetitionally public keys generated so as to satisfy a condition that Q k » d k P and reg- 
istered previously, where represents 1 to (i • 1); 
means tor computing a point (R M ) of an abeiian group in accordance with 

m * 

*-1 M.1 



means tor computing hash values r^' s h (Rj.i); 

means for issuing data indicating that said multiple digital signature is authenticated when said hash value (r t . 
O coincides with a tally (r M ) of said (i - 1)-tuple digital signature (i.e., when r M ' « r M ), while issuing data indi- 
cating that said multiple digital signature is not-authenticated unless said hash value (r M *) coincides with said 
tally (r^Xi.e., when r M ' * r M ). 

22. A digital signature verifying system according to claim 21 , 

wherein said abeiian group includes an elliptic curve. 

23. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for generating a digital signature authenticating electronically a 
signature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gen- 
erating method comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e = H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r = h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

24. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for verifying a digital signature authenticating electronically a sig- 
nature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gener- 
ating method comprising the steps of: 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (P), a second hash value (r*) satisfying a condition that r' a h(x) on the basis 
of said first hash value (e), said digital signature (r, s), said base point (P) and said public key (Q) by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value (r') with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

25. A method of generating and verifying a digital signature using a public key encryption scheme in a system in which 
a digital signature is generated by a given one computer and transmitted via a network to another computer to be 
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verified thereby, 

tor generating a digital signature (r v s,) for a given message (M,) by said given one computer, 
determining a hash value (e^ satisfying a condition that e t « HfMO by using a first hash function (H); 
generating a random number (k^; 

determining a point (F^ (■ k^P)) by multiplying a point (P) of an abeiian group by said random number (k^; 
determining a first numerical value (r,) satisfying a condition that r, « h(R t ) by using a second hash function 
(h) whose output value is shorter than that of said first hash function (H); 

determining a second numerical value (Sj) satisfying a condition that s 1 - ^ + d 1 (b a + r,) (mod n) on the basis 
of the order (n) of said point (P) of said abeiian group and a private key (d t ); and 

sending a set of said determined numerical values (r 1( 6^ as a digital signature to said another computer via 
said network; and 

tor verifying said digital signature (r t , Sj) by said another computer. 

fetching said digital signature (r, . s^ sent from said given one computer, a base point (P), a public key (Q) and 
order (n) from a public file; 

determining a hash value (e^ satisfying a condition that e 1 a H(M0: 

inputting a public key (Qi) generated previously so as to satisfy a condition Q 1 - d^, where d 1 represents a 
private key; 

determining arithmetically a point (R^ of an abeiian group, said point (R j) being given by R t = s^ - (e^ + 

ri)Qv 

determining a hash value (r 1 ') satisfying a condition that r,' = hfRj): 

outputting a data indicating that said digital signature is authenticated, when said hash value (r,*) coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value (r^) coincides 
with said tally (r t ) of said digital signature. 



21 



EP 0 840 478 A2 



FIG. I 



110 



USER A*s ISSUED 
DOCUMENT 



X 



109 



111 



USER A' s CREATED 
DOCUMENT (M i ) 



USER A' s 
SIGNATURE 
(n ,si) 



USER B's ISSUED 
DOCUMENT 



USER A' s CREATED 
DOCUMENT (Mi) 



USER B's 
COMMENT (M 2) 



ir 



USERS A's AND B's 
SIGNATURE 
(n,r2,S2) 



115 
114 



113 



105 



X 



117 
118 

102 



X 



X 



ALi 



BASE 
POINT (P) 



PRIVATE 
KEY (di) 



USER A's 

PERSONAL 

COMPUTER 




106 



107 



119 



X 



X 



120 



121 
103 



X 
X 



ALi 



AL2 



BASE 
POINT (P) 



PUBLIC 
KEY (Qi) 



PUBLIC 
KEY (d 2 ) 



USER B's 

PERSONAL 

COMPUTER 



NETWORK 



T 



108. 



122 
123 



X 



124 

104-^ 



AL2' 



BASE 
POINT (P) 



PUBLIC 
KEY (Qi) 



PUBLIC 
KEY (Q 2 ) 



USER C's 

PERSONAL 

COMPUTER 



SYSTEM 
MANAGEMENT 
COMPUTER 




22 



EP 0840 478 A2 



FIG. 2 A 
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FIG. 2B 
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